Mechanism for efficient private bulk messaging

ABSTRACT

Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient&#39;s public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient&#39;s public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient&#39;s private key, resulting in an unencrypted message decryption key. The recipient then decrypts the message using the unencrypted message decryption key.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.11/107,679, filed Apr. 15, 2005, which is in turn a continuation of U.S.patent application Ser. No. 09/792,949, entitled “Mechanism forEfficient Private Bulk Messaging” filed Feb. 26, 2001, now U.S. Pat. No.6,912,285, which in turn claims priority of U.S. Provisional PatentApplication No. 60/184,785, filed Feb. 24, 2000. Each of the foregoingapplications is incorporated herein by reference.

BACKGROUND

1. Field of the Invention

The invention relates to secure transmission of documents, and moreparticularly, to transmission of documents to a large number ofrecipients, securely and efficiently.

2. Description of Related Art

The Internet and corporate networks have made the transmission ofdocuments and messages via e-mail commonplace. Bulk messaging has alsobecome commonplace, such as for advertising and promotional purposes.For bulk messaging, typically a user on one computer composes a messageand addresses it to an e-mail group. The message is transmitted to aserver, which substitutes the individual addresses of all the targetrecipients in the group, which may number in the thousands, andtransmits the message individually to each target recipient.

Unlike advertising and promotional uses, many businesses require thattheir communications take place securely. When messages are to betransmitted across an insecure network, such as the Internet, securityis typically accomplished by encrypting the message in a manner that canbe decrypted only with knowledge of a decryption key. Since only theintended recipient is expected to have the decryption key, only thatrecipient will be able to open the message and view its contents.Encryption may be performed using a symmetrical encryption algorithm, inwhich the encryption key matches the decryption key, or by an asymmetricalgorithm, in which the encryption key is different from the decryptionkey. One popular form of asymmetric encryption is public/private keyencryption, described in “Public-key Cryptography Standards,” RSA DataSecurity, Inc. (1991), and in Rivest U.S. Pat. No. 4,405,829, bothincorporated by reference herein.

According to the public/private key crypto system, each target recipienthas both a private key that only the recipient knows, and a public keythat is publicly available. When a sender desires to send a messagesecurely to one of the target recipients, the sender encrypts themessage using the target recipient's public key. Only the targetrecipient then is able to open the message and view its contents.

Secure messaging becomes problematical when the sender desires to sendthe message to a large number of target recipients. If a public/privatekey cryptosystem is to be used, then the sender must encrypt the messageN times, once using the public key of each of the N target recipients,and then send the message separately to each of the target recipients.If the document to be transmitted is large, and/or if N is in thethousands, this can be a formidable task. The encryption part of thetask can be minimized if all of the target recipients share a singledecryption key, because then the sender need encrypt the message onlyonce. But the need for all recipients to have the decryption key posesrisks both in the transmission and in the storage of the key. Thissolution also does not overcome the need for the sender to transmit themessage separately, once to each of the N target recipients.

Accordingly, there is a need for a more efficient mechanism for securebulk transmission of messages.

SUMMARY OF THE INVENTION

According to the invention, roughly described, a sender first encryptsthe message once. The message can be decrypted with a message decryptionkey. These can be symmetric or asymmetric keys. For each recipient, thesender then encrypts the message decryption key with the recipient'spublic key. The sender then sends the encrypted message and theencrypted message decryption keys to a store-and-forward server.Subsequently, one or more recipients connect to the server and retrievethe encrypted message and the message encryption key that has beenencrypted with the recipient's public key. Alternatively, the server canforward these items to each individual recipient. The recipient thendecrypts the encrypted message decryption key with the recipient'sprivate key, resulting in an unencrypted message decryption key. Therecipient then decrypts the message using the unencrypted messagedecryption key.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be described with respect to particular embodimentsthereof, and reference will be made to the drawings, in which:

FIG. 1 is a block diagram of a system incorporating the invention.

FIG. 2 is a flowchart of basic steps undertaken by a sender intransmitting a secure bulk message using the arrangement of FIG. 1.

FIG. 3 is a flowchart illustrating the process undertaken by a recipientto retrieve and open the message.

FIG. 4 illustrates a format by which an encrypted message and theencrypted decryption keys are stored on the server of FIG. 1.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of a system incorporating the invention. Itcomprises a sender 110, which sends the encrypted message and encryptedmessage decryption keys to a server 112, which can then be accessed byeach of N target recipients 114-1, 114-2, 114-3, . . . 114-N(collectively, target recipients 114). One or more of the transmissionpaths from the sender 110 to the server 112 or from the server 112 tothe recipients 114 are potentially insecure. As used herein, the term“message” is intended to be read broadly to include all kinds ofinformation that might be transmitted, such as e-mail messages,documents, financial transactions, and so on. Also as used herein, theserver 112 need not be limited to a single computer. It can includemultiple computers which need not even be located physically together.

FIG. 2 is a flowchart of the basic steps undertaken by the sender intransmitting a secure bulk message using the arrangement of FIG. 1. Instep 210, the sender first creates the message to be sent. In step 212,the sender encrypts the message. As mentioned, encryption at this stagecan be either by a symmetric or an asymmetric encryption algorithm.Although there are many examples of acceptable encryption algorithms,one common symmetric algorithm is that described in National Institutesof Standards and Technology, “Data Encryption Standard”, FIPSPublication No. 46-1 (January 1988) (hereinafter “DES”), incorporated byreference herein. The encryption process in step 212 can be reversedusing a message decryption key known by the sender.

In step 214, the sender encrypts the message decryption key N times—onceusing the public key of each of the N target recipients. This yields Nencrypted message decryption keys. In step 216, the sender sends theencrypted message, the addresses of the target recipients, and the listof encrypted message decryption keys to the server 112. It will beappreciated that one of the target recipients could be a third-partymonitor, such as a government agency that is permitted to view themessage if required by law.

Optionally, the sender can also send to the server 112 (or the serveritself generate) a digital signature protecting all of the encrypteddecryption keys associated with a particular encrypted message. The listof encrypted decryption keys thereafter cannot be tampered with withoutbeing detectable by reference to the digital signature. A digitalsignature is created by digesting the list, or significant portions ofthe list, using a well-known digesting algorithm, and then encryptingthe digest with the sender's (or server's) private key of apublic/private pair. In order to check for tampering, an auditor repeatsthe digesting of the list of encrypted decryption keys, to form a newdigest, and then decrypts the digital signature using the sender's (orthe server's) public key, to recover the original digest, and thencompares the two for equality. A satisfactory digesting algorithm isthat describe in R. Rivest, “MD5 Message-Digest Algorithm”, InternetEngineering Task Force RFC No. 1321 (April 1992), incorporated byreference herein.

On the server 112, the encrypted message and the encrypted decryptionkeys are stored as illustrated in FIG. 4. The encrypted message isstored at 410. In conjunction with the encrypted message 410, the serverstores each of the encrypted decryption keys 412-1, 412-2, . . . ,412-N. One of the encrypted decryption keys can, as mentioned above,optionally be a monitor's decryption key 414. Optionally also stored inconjunction with the encrypted message 410, is a digital signature 416protecting the list of encrypted decryption keys. The elementsillustrated in FIG. 4 may be stored all in one contiguous region ofcomputer-readable memory, or across discontiguous regions, or acrossdiscontiguous regions of multiple computer-readable media.

In one embodiment, the server maintains a document management systemwhich not only stores multiple encrypted messages and their associatedencrypted decryption keys, but also provides logical and structuredrestricted access to the various items by individual senders andindividual recipients. For example, one such document management systemallows senders to change the message stored on the server 112, while notallowing other senders to do so and while not allowing any recipient todo so. Another such document management system allows senders to add,delete or change entries in the list of encrypted decryption keys formessages that were transmitted by the sender, while not allowing suchmodifications by other senders or by any recipient. Yet another suchdocument management system, when accessed by a particular recipient,shows the recipient only those messages on which the particularrecipient is identified as a target recipient, hiding any messages forwhich there is no encrypted decryption key for the particular recipient.

FIG. 3 is a flowchart illustrating the process undertaken by a recipientto retrieve and open the message. In step 310, the recipient accessesthe server 112, and in step 312, the recipient downloads the encryptedmessage and at least the particular recipient's encrypted messagedecryption key 412. Alternatively, the server 112 can forward theseitems to the recipient without awaiting action from the recipient. Instep 314, the particular recipient decrypts the recipient's encryptedmessage decryption key, yielding an unencrypted message decryption key.In step 316, the recipient decrypts and views the encrypted messageusing the now-unencrypted message decryption key.

It will be appreciated that the above-described mechanism is capable ofmany variations. As one example, in step 216, the sending of theencrypted message and list of encrypted message decryption keys need nottake place in a single transmission. Some of all of the encryptedmessage decryption keys can be sent earlier or later than the encryptedmessage.

As another example, encrypted decryption keys could be bundled into themessage and the single message with the encrypted decryption keys couldbe broadcast to all recipients without compromising the security of themechanism.

As yet another example, public and private keys for encrypting thedecryption keys could be replaced with symmetric private keys withoutaffecting the security or efficiency of the mechanism.

As still another example, server 112 could be eliminated and the messagewith the encrypted decryption keys could be broadcast to all recipientsand any other listeners, and only the target recipients will be able todecrypt the message and the security of the mechanism is notcompromised.

As yet another example, for one or more of the target recipients, thesender can multiply encrypt the recipient's message decryption key,thereby requiring multiple entities to be involved in the decryption ofthe message decryption key. For example, the sender may first encryptthe message decryption key with the target recipient's public key,yielding a “partially-encrypted” message decryption key. The sender maythen re-encrypt the partially-encrypted message decryption key, usingthe public key of an authorizer, thus yielding the final encryptedmessage decryption key. Upon receipt of the message, the recipient firsthas the encrypted decryption key decrypted by the authorizer, using theauthorizer's private key. This recovers the partially-encrypted messagedecryption key. The recipient then decrypts the partially-encryptedmessage decryption key, using the recipient's private key, thus yieldingthe un-encrypted message decryption key. Alternatively, the order ofencryption for the multiple parties can be reversed, as long as thedecryption sequence takes place in the same order as the encryptionsequence.

The foregoing description of preferred embodiments of the presentinvention has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit theinvention to the precise forms disclosed. Obviously, many modificationsand variations will be apparent to practitioners skilled in this art. Inparticular, and without limitation, any and all variations described,suggested or incorporated by reference in the Background section of thispatent application are specifically incorporated by reference into thedescription herein of embodiments of the invention. The embodimentsdescribed herein were chosen and described in order to best explain theprinciples of the invention and its practical application, therebyenabling others skilled in the art to understand the invention forvarious embodiments and with various modifications as are suited to theparticular use contemplated. It is intended that the scope of theinvention be defined by the following claims and their equivalents.

1. (canceled)
 2. (canceled)
 3. (canceled)
 4. (canceled)
 5. (canceled) 6.(canceled)
 7. (canceled)
 8. (canceled)
 9. (canceled)
 10. (canceled) 11.(canceled)
 12. (canceled)
 13. (canceled)
 14. (canceled)
 15. (canceled)16. A document management system comprising: a sender; plural targetrecipients; and a server coupled between the sender and the targetrecipients to receive from the sender and to provide to at least some ofthe target recipients a message, wherein the provided message isencrypted at least for storage at the server using a sender key and isdecryptable using a corresponding message decryption key that is, inturn, separately encrypted for each of the target recipients usingrespective encryption keys associated with the target recipientsthemselves, thereby resulting in a plurality of recipient-associatedencrypted decryption keys; the server providing each of the targetrecipients with at least a respective one of the recipient-associatedencrypted decryption keys for decryption by the respective targetrecipient to recover the underlying message decryption key and tothereby provide the respective target recipient with access to theencrypted message.
 17. The document management system of claim 16,wherein the respective encryption keys associated with the targetrecipients are public keys of the respective target recipientsestablished in accord with an asymmetric cryptosystem.
 18. The documentmanagement system of claim 16, wherein the sender key is a private keyof the sender established in accord with an asymmetric cryptosystem. 19.The document management system of claim 18, wherein the messagedecryption key is a second key corresponding to the private key andestablished in accord with the asymmetric cryptosystem.
 20. The documentmanagement system of claim 16, wherein the sender key and the messagedecryption key are part of a symmetric cryptosystem.
 21. The documentmanagement system of claim 16, further comprising: a sender system,whereby the sender encrypts the message, using the sender key, to supplythe encrypted message and further encrypts, using respective encryptionkeys associated with the target recipients, the message decryption keyto supply the plurality of recipient-associated encrypted decryptionkeys.
 22. The document management system of claim 16, wherein the sendersystem sends the recipient-associated encrypted decryption keys to theserver for inclusion in a list of authorized encrypted decryption keys.23. The document management system of claim 22, wherein, responsive tothe sender, at least one but less than all of the recipient-associatedencrypted decryption keys on the list is changed or deleted, but not theencrypted message itself which remains unchanged, the changing ordeleting thereby impeding access to the message by at least one targetrecipient for which the at least one recipient-associated encrypteddecryption key was changed, but preserving access, by way of unchangedones of the recipient-associated encrypted decryption keys, to theunchanged encrypted message.
 24. The document management system of claim23, wherein the changing or deleting of one of said recipient-associatedencrypted decryption keys follows provision of the encrypted message toa target recipient.
 25. The document management system of claim 16,wherein on of the target recipients is a monitor.
 26. The documentmanagement system of claim 16, wherein at least the recipient-associatedencrypted decryption keys are protected using a digital signature ormessage digest.
 27. The document management system of claim 16, whereinthe server provides store-and-forward transfer of either or both of theencrypted message and the recipient-associated encrypted decryptionkeys.
 28. The document management system of claim 16, furthercomprising: a recipient system, whereby a particular one of the targetrecipients retrieves from the server the encrypted message and at leasta particular one of the plurality of recipient-associated encrypteddecryption keys.
 29. The document management system of claim 28, whereinthe recipient system is configured to decrypt the retrieved particularone of said plurality of recipient-associated encrypted decryption keysto recover the underlying message decryption key.
 30. The documentmanagement system of claim 28, wherein the recipient system isconfigured to decrypt the encrypted message using the recovered messagedecryption key.
 31. The document management system of claim 28, whereinthe sender changes or deletes at least one of the plurality ofrecipient-associated encrypted decryption keys, and wherein therecipient system decrypts the retrieved particular one of the pluralityof recipient-associated encrypted decryption keys to recover theunderlying message decryption key and, using the recovered messagedecryption key, decrypts the received encrypted message, wherein saidreceived encrypted message remains unchanged even after the deletion orchange of at least one other one of the recipient-associated encrypteddecryption keys.
 32. The document management system of claim 31, whereinthe decrypting of the particular recipient-associated encrypteddecryption key includes decrypting with a key of a first party todevelop a partially decrypted decryption key, and decrypting thepartially decrypted decryption key with a key of a second party.
 33. Thedocument management system of claim 16, wherein the server includesstorage for the plurality of recipient-associated encrypted decryptionkeys and the encrypted message, together with storage for othermessages, wherein the server permits access only to those messagesstored thereon for which an accessing user is a target recipient asindicated by inclusion of a corresponding one of therecipient-associated encrypted decryption keys in the stored pluralityof recipient-associated encrypted decryption keys.